<html>
<head><meta charset="utf-8"><title>fuzzing targets · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html">fuzzing targets</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="158769290"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158769290" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158769290">(Feb 18 2019 at 02:16)</a>:</h4>
<p>Hey everybody.  I'm going through fuzzing some libraries.  Does anyone have any crates, besides stdlib(not looking for that big of a project right now) they'd like to get some attention?  I'm thinking of doing ws-rs next.</p>



<a name="158771174"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158771174" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158771174">(Feb 18 2019 at 03:17)</a>:</h4>
<p><span class="user-mention" data-user-id="132722">@Stuart Small</span> I can think of a few good candidates (e.g. <code>bytes</code>) but have no idea if it's already being fuzzed</p>



<a name="158771471"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158771471" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158771471">(Feb 18 2019 at 03:25)</a>:</h4>
<p>Cool.  I'll look into it.  That'll be a lot easier than ws-rs.  The logic for signalling the server to shutdown will be a little awkward</p>



<a name="158771535"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158771535" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158771535">(Feb 18 2019 at 03:27)</a>:</h4>
<p>I already found some decent panics this evening with the first project I started on (mongo_driver) but fixing them will require some API changes.  This is my first go with fuzzing and I'm having a lot of fun</p>



<a name="158798323"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158798323" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> brycx <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158798323">(Feb 18 2019 at 13:08)</a>:</h4>
<p><span class="user-mention" data-user-id="132722">@Stuart Small</span> I know snow is looking to get some more fuzzing: <a href="https://github.com/mcginty/snow/issues/28" target="_blank" title="https://github.com/mcginty/snow/issues/28">https://github.com/mcginty/snow/issues/28</a></p>



<a name="158807156"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158807156" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158807156">(Feb 18 2019 at 15:23)</a>:</h4>
<p>Awesome.  Thanks!</p>



<a name="158832169"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158832169" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158832169">(Feb 18 2019 at 22:08)</a>:</h4>
<p>I'm actually working on making fuzzing viable for targets with large API surfaces such as the stdlib or the OpenSSL bindings. It's in the minimum viable prototype stage: <a href="https://github.com/Eh2406/auto-fuzz-test" target="_blank" title="https://github.com/Eh2406/auto-fuzz-test">https://github.com/Eh2406/auto-fuzz-test</a></p>



<a name="158832293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158832293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158832293">(Feb 18 2019 at 22:10)</a>:</h4>
<p><span class="user-mention" data-user-id="132722">@Stuart Small</span> you can update the targets in <a href="https://github.com/rust-fuzz/targets" target="_blank" title="https://github.com/rust-fuzz/targets">https://github.com/rust-fuzz/targets</a> to latest versions of libraries and re-run them. I'm pretty sure you're going to get some crashes out of that, since almost nobody does fuzzing on CI.<br>
Also, if you need any tips on fuzzing (like the right way to run AFL in parallel or how to combine compiling release mode and sanitizers) feel free to message me. I have a bunch of experience with that.</p>



<a name="158832341"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158832341" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158832341">(Feb 18 2019 at 22:11)</a>:</h4>
<p>I'm basing my "nobody runs fuzzing on CI and that's a problem" comment on <a href="https://github.com/PistonDevelopers/image-png/issues/103" target="_blank" title="https://github.com/PistonDevelopers/image-png/issues/103">https://github.com/PistonDevelopers/image-png/issues/103</a></p>



<a name="158832820"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158832820" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158832820">(Feb 18 2019 at 22:16)</a>:</h4>
<p><span class="user-mention" data-user-id="132722">@Stuart Small</span> also you can run fuzz code that has <code>unsafe</code> in it under <a href="https://github.com/Shnatsel/libdiffuzz" target="_blank" title="https://github.com/Shnatsel/libdiffuzz">https://github.com/Shnatsel/libdiffuzz</a> - I'm pretty sure nobody's done that before. Since Memory Sanitizer is a pain to use, in the meanwhile libdiffuzz can be used to detect reads from uninitialized memory that affect output. You will have to modify the fuzzing targets for it, though. (Full disclosure: I wrote it).</p>



<a name="158837420"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158837420" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158837420">(Feb 18 2019 at 23:47)</a>:</h4>
<p>Cool.  I'll take a look at it</p>



<a name="158855361"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158855361" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> brycx <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158855361">(Feb 19 2019 at 07:37)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> FWIW, I've used libdiffuzz to fuzz some SIMD code :)</p>



<a name="158909423"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158909423" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158909423">(Feb 19 2019 at 19:08)</a>:</h4>
<p>Oh, that's cool! Found anything?</p>



<a name="158926956"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/158926956" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> brycx <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#158926956">(Feb 19 2019 at 22:49)</a>:</h4>
<p>No, "fortunately" not. But if I do and it's a public project (this wasn't) then I'll make sure to open a trophy case!</p>



<a name="159239203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/159239203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#159239203">(Feb 23 2019 at 18:03)</a>:</h4>
<p>Does anyone have good guidance on converting from the crash artifact dumped in /target by rust fuzz back into the arguments to the fuzz_target?  It was easy to handle when I was just passing in Vec&lt;u8&gt; but I'm starting to get more complex method signatures so its hard to sort out</p>



<a name="159245567"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/159245567" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#159245567">(Feb 23 2019 at 21:02)</a>:</h4>
<p>If it's AFL, I just replace <code>afl::fuzz!</code> with<code>afl::read_stdio_bytes</code> and run the binary with test target as input.<br>
If it's something much more complicated, you can use the newly stabilized <code>dbg!</code> macro to extract inputs passed to individual functions: <a href="https://doc.rust-lang.org/std/macro.dbg.html" target="_blank" title="https://doc.rust-lang.org/std/macro.dbg.html">https://doc.rust-lang.org/std/macro.dbg.html</a></p>



<a name="159247932"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/159247932" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#159247932">(Feb 23 2019 at 22:17)</a>:</h4>
<p>I'm using libfuzzer right now.   Looks like I found a good way to do it:</p>
<p>let slice = &amp;[0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x40,<br>
        0xff, 0x00, 0xff, 0x00, 0x40, 0xff, 0x00, 0xff,<br>
        0xff, 0xff, 0x00, 0x6c, 0xff, 0x00, 0x00, 0x00, 0x6c];<br>
    let mut fb = RingBuffer::new(slice, slice.len()).unwrap();<br>
    let rand: (Option&lt;u8&gt;, Vec&lt;Action&gt;) = Arbitrary::arbitrary(&amp;mut fb).unwrap();</p>



<a name="159248043"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/159248043" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#159248043">(Feb 23 2019 at 22:21)</a>:</h4>
<p>I'm not 100% sure RingBuffer is a good idea. I use a fixed-size buffer instead: <a href="https://gist.github.com/Shnatsel/4a907d44d6429de93d63d6e7c4d1361e" target="_blank" title="https://gist.github.com/Shnatsel/4a907d44d6429de93d63d6e7c4d1361e">https://gist.github.com/Shnatsel/4a907d44d6429de93d63d6e7c4d1361e</a></p>



<a name="159248139"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/159248139" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#159248139">(Feb 23 2019 at 22:24)</a>:</h4>
<p>I originally used fixed sized but it paniced.  I'll give it a closed look as to why</p>



<a name="159248272"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/159248272" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#159248272">(Feb 23 2019 at 22:29)</a>:</h4>
<p>Probably because it tried to allocate very large strings or vectors and ran out of data</p>



<a name="159248401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/159248401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#159248401">(Feb 23 2019 at 22:33)</a>:</h4>
<p>It would be interesting to have a comparison between ring buffer and fixed size buffer in terms of fuzzing efficiency</p>



<a name="159249269"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/fuzzing%20targets/near/159249269" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/fuzzing.20targets.html#159249269">(Feb 23 2019 at 22:58)</a>:</h4>
<p>Ah I <em>think</em> my issue might be that the definition of Action changed at some point after I generated  that byte stream.   That would do it.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>